CVE-2025-9390: 
Vim vulnerability analysis and mitigation

A security vulnerability (CVE-2025-9390) was discovered in vim up to version 9.1.1615, specifically affecting the main function in the src/xxd/xxd.c component of xxd. The vulnerability was identified on August 24, 2025, and involves a buffer overflow condition that requires local access to exploit. The issue has been patched in version 9.1.1616 (VulDB, NVD).

The vulnerability is a buffer overflow condition that occurs when xxd processes input files with binary output (-b) and EBCDIC encoding (-E) flags. The issue stems from insufficient boundary checking during binary-to-EBCDIC conversion operations. The vulnerability has received a CVSS v4.0 base score of 4.8 (Medium) with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N and a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (VulDB, Snyk).

The vulnerability can lead to buffer overflow conditions that trigger abort signals due to stack protection mechanisms. It affects the confidentiality, integrity, and availability of the system, though all with low severity. The attack requires local access and low privileges to exploit (VulDB, NVD).

The vulnerability has been fixed in vim version 9.1.1616. The patch is identified by commit eeef7c77436a78cd27047b0f5fa6925d56de3cb0. Users are recommended to upgrade to this version or later to address the security issue (Github Commit, Github Release).